Re: [exim-dev] Exim support for OpenDMARC

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Phil Pennock
Dátum:  
Címzett: Todd Lyons
CC: exim-dev
Tárgy: Re: [exim-dev] Exim support for OpenDMARC
On 2013-03-21 at 12:59 -0700, Todd Lyons wrote:
> SPF is also required for DMARC to be tested comprehensively, and the
> libspf functions require active DNS with seemingly no way around that.
> This means I cannot fully test DMARC because SPF will always be
> missing if I use the test.ex test harness domain.


Frankly, test.ex strikes me as problematic, because you're not testing
the real code-paths used in normal running code.

Thus testdns.exim.org exists: it'll be even more critical with DNSSEC
checks, to be sure we're really testing what we think we're testing.

I'm happy to add whatever folks want to it.

Anyone on tahini can AXFR the content; in addition, I've attached the
zonefile to this message.

Most recent change was to add the dlv record, but that's failing
because the exim.org DNS servers don't accept queries over TCP; SOA
serial in zone as served happens to match this right now, but isn't
guaranteed (bind inline signing).

-Phil
; $HeadURL: https://svn.spodhuis.org/ksvn/services/trunk/DNS/zones.public/db.testdns.exim.org $
; $Id: db.testdns.exim.org 2621 2013-03-15 06:30:18Z pdp@??? $
;
$TTL  3600
$ORIGIN testdns.exim.org.
@ IN SOA nlns.globnix.net. dnsadmin.globnix.net. (
        2013031422    ; Serial
        3h        ; Refresh
        1h        ; Retry
        10d        ; Expire
        1200        ; Min/Neg TTL
        )     ; end of authority information


@            NS    nlns.globnix.net.
@            NS    us0ns.globnix.net.


@            MX    0 .


@            SPF    "v=spf1 -all"
@            TXT    "v=spf1 -all"
@            TXT    "dummy food"


dlv 0 IN TXT "DLV:1:gbmswyvxymrr"

$ORIGIN misc.testdns.exim.org.
; these resolve to reserved-for-documentation IPs
; some come from test.globnix.net.

; Examples of loading a TXT record via \#
_loaded_0    IN TXT \# 1 00
_loaded_1    IN TXT \# 6 05 48 65 6c 6c 6f


normal            A    192.0.2.1
single\032space        A    192.0.2.2
middle\.dot        A    192.0.2.3
trailing-dot\.        A    192.0.2.4
long-hostname-carefully-selected-to-expose-fixed-length-buffers    A 192.0.2.5
nul\000gap        A    192.0.2.6
foo/slash        A    192.0.2.7
foo:colon        A    192.0.2.8
foo\000null        A    192.0.2.9


txt-3-in-1        TXT    "first" "second" "third"
txt-4-in-2        TXT    "[rec-a part1]" "{rec-a part2}"
txt-4-in-2        TXT    "(rec-b part3)" "<rec-b part4>"


$ORIGIN local.testdns.exim.org.

mx4            A    127.0.0.1
mx6            AAAA    ::1
mx            A    127.0.0.1
mx            AAAA    ::1
mail4            A    127.0.0.1
mail6            AAAA    ::1
mail            A    127.0.0.1
mail            AAAA    ::1
services4        A    127.0.0.1
services6        AAAA    ::1
services        A    127.0.0.1
services        AAAA    ::1
@            MX    10 mx
@            MX    40 mx4
@            MX    60 mx6
_submission._tcp    SRV    10 10 587 mail
_ldap._tcp        SRV    10 10 389 services
@            SPF    "v=spf1 mx a:mail.local.testdns.exim.org -all"


$ORIGIN valid254.testdns.exim.org.
; for IPv6, can't use link-local as that needs scope for resolution, plus
; I've seen some weirdness with fe80:4242::6%lo0 being reported as fe80::6%lo0
; and both being pingable.  Er.
; So use FC00::/7 "Unique Local IPv6 Unicast Addresses" per RFC 4193.
; Not recommended for global DNS, but this is for local systems testing, just
; as we use RFC1918 space for ip4.  Random assignment, L=1, => fd::/8
; The subnetid needs to be random, and the recommended approach uses a MAC
; address as part of the input; sha1(64-bit-binary-NTP-time | MAC) and lowest
; 40 bits.  Rather than code, I searched and found http://bitace.com/ipv6calc/
; which actually just generates random numbers with JS Math.random().  Sod it,
; that's good enough.
;     Unicast Subnet:  fdaa:58d3:2c8b::/48
;   Multicast Subnet:  ff3e:30:fdaa:58d3:2c8b::/96   global
;                      ff38:30:fdaa:58d3:2c8b::/96   organisation-local
;                      ff35:30:fdaa:58d3:2c8b::/96   site-local
;
mx4            A    192.168.254.4
mx6            AAAA    fdaa:58d3:2c8b::254:6
mx            A    192.168.254.4
mx            AAAA    fdaa:58d3:2c8b::254:6
mail4            A    192.168.254.104
mail6            AAAA    fdaa:58d3:2c8b::254:106
mail            A    192.168.254.104
mail            AAAA    fdaa:58d3:2c8b::254:106
services4        A    192.168.254.204
services6        AAAA    fdaa:58d3:2c8b::254:206
services        A    192.168.254.204
services        AAAA    fdaa:58d3:2c8b::254:206
@            MX    10 mx
@            MX    40 mx4
@            MX    60 mx6
_submission._tcp    SRV    10 10 587 mail
_ldap._tcp        SRV    10 10 389 services
; deliberately exclude services as source address
@            SPF    "v=spf1 mx a:mail.valid254.testdns.exim.org -all"
;
; Keep a copy of this valid254 data in the IDN test too, changing only SPF



$ORIGIN xn--qck5b9a5eml3bze.testdns.exim.org.
;
; xn--qck5b9a5eml3bze == グランピートロル (grumpy troll)
; should be a copy of valid254.
;
mx4            A    192.168.254.4
mx6            AAAA    fdaa:58d3:2c8b::254:6
mx            A    192.168.254.4
mx            AAAA    fdaa:58d3:2c8b::254:6
mail4            A    192.168.254.104
mail6            AAAA    fdaa:58d3:2c8b::254:106
mail            A    192.168.254.104
mail            AAAA    fdaa:58d3:2c8b::254:106
services4        A    192.168.254.204
services6        AAAA    fdaa:58d3:2c8b::254:206
services        A    192.168.254.204
services        AAAA    fdaa:58d3:2c8b::254:206
@            MX    10 mx
@            MX    40 mx4
@            MX    60 mx6
_submission._tcp    SRV    10 10 587 mail
_ldap._tcp        SRV    10 10 389 services
; deliberately exclude services as source address
@            SPF    "v=spf1 mx a:mail.xn--qck5b9a5eml3bze.testdns.exim.org -all"
;
idn-puny        MX    10 mx
idn-puny        SPF    "v=spf1 a:mail.xn--qck5b9a5eml3bze.testdns.exim.org -all"
idn-utf8        MX    10 mx
; codecs.lookup('utf-8').encode('グランピートロル')[0] ->
; \xe3\x82\xb0\xe3\x83\xa9\xe3\x83\xb3\xe3\x83\x94\xe3\x83\xbc\xe3\x83\x88\xe3\x83\xad\xe3\x83\xab
;   H.encode( U8.encode(d)[0] ) ->   b'e382b0e383a9e383b3e38394e383bce38388e383ade383ab'
; H=codecs.lookup('hex_codec')
; H.encode(b'.')[0] = '2e'  -- sanity check
; b'v=spf1 a:mail.' -> 763d7370663120613a6d61696c2e
; b'.testdns.exim.org -all' -> 2e74657374646e732e6578696d2e6f7267202d616c6c
; We are encoding an SPF record, the RRdata for which is formatted as a TXT record's is.
; A sequence of strings, each of which is a length octet followed by the data octets.
; The string has length 60, 0x3C, so the length of the data is 61 octets,
; the first of which is the string length and then the "..." data follows
idn-utf8    SPF    \# 61 ( 3C
            76 3d 73 70 66 31 20 61 3a 6d 61 69 6c 2e
            e3 82 b0 e3 83 a9 e3 83 b3 e3 83 94 e3 83 bc e3 83 88 e3 83 ad e3 83 ab
            2e 74 65 73 74 64 6e 73 2e 65 78 69 6d 2e 6f 72 67 20 2d 61 6c 6c
            )


$ORIGIN testdns.exim.org.

_final_record    TXT    "zone loaded"


; vim: set filetype=bindzone :